From 76e10a3b6e413f95c69da14ef0ac49fd9c2d7db4 Mon Sep 17 00:00:00 2001 From: Ben Mares Date: Sun, 22 Dec 2024 20:08:10 +0100 Subject: [PATCH 1/4] Don't persist credentials in pypi.yml Ref: --- .github/workflows/pypi.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 4d5fda17f2..b19429e7ba 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -26,6 +26,7 @@ jobs: with: fetch-depth: 0 submodules: true + persist-credentials: false - name: Build SDist run: pipx run build --sdist @@ -45,6 +46,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: hynek/build-and-inspect-python-package@v2 build_wheels: @@ -60,6 +62,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Build wheels uses: pypa/cibuildwheel@v2.22.0 @@ -76,6 +79,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 From afef4eaa9e4ce0661d60196d764f267615e64687 Mon Sep 17 00:00:00 2001 From: Ben Mares Date: Sun, 22 Dec 2024 20:18:49 +0100 Subject: [PATCH 2/4] Don't persist credentials This is an insecure default on GitHub that increases the chances of credential leakage. --- .github/workflows/mypy.yml | 2 ++ .github/workflows/test.yml | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml index 32fd5ebfea..ff85db3abe 100644 --- a/.github/workflows/mypy.yml +++ b/.github/workflows/mypy.yml @@ -13,6 +13,8 @@ jobs: shell: bash -leo pipefail {0} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: mamba-org/setup-micromamba@v2 with: micromamba-version: "1.5.10-0" # until https://github.com/mamba-org/setup-micromamba/issues/225 is resolved diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a319e23acc..53f1e16606 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,6 +25,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: dorny/paths-filter@v3 id: changes with: @@ -56,6 +57,8 @@ jobs: python-version: ["3.10", "3.12"] steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} @@ -146,6 +149,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: mamba-org/setup-micromamba@v2 with: @@ -229,6 +233,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python 3.10 uses: mamba-org/setup-micromamba@v2 with: @@ -286,6 +291,8 @@ jobs: if: ${{ needs.changes.outputs.changes == 'true' && needs.all-checks.result == 'success' }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 From 7d1c45d85cd96e2ab001ae740cc8d5b10e662f04 Mon Sep 17 00:00:00 2001 From: Ben Mares Date: Sun, 22 Dec 2024 20:21:04 +0100 Subject: [PATCH 3/4] Add zizmor exception for RTD pull_request_target trigger --- .github/workflows/rtd-link-preview.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/rtd-link-preview.yml b/.github/workflows/rtd-link-preview.yml index 23a967e123..0eb2acd377 100644 --- a/.github/workflows/rtd-link-preview.yml +++ b/.github/workflows/rtd-link-preview.yml @@ -1,15 +1,15 @@ name: Read the Docs Pull Request Preview on: - pull_request_target: + # See + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - opened -permissions: - pull-requests: write - jobs: documentation-links: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: readthedocs/actions/preview@v1 with: From e002108cea326de57de3dd38cd3f39b377aa6e04 Mon Sep 17 00:00:00 2001 From: Ben Mares Date: Sun, 22 Dec 2024 20:22:18 +0100 Subject: [PATCH 4/4] Create zizmor workflow --- .github/workflows/zizmor.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..b747897eb8 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +# https://github.com/woodruffw/zizmor +name: zizmor GHA analysis + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - uses: hynek/setup-cached-uv@v2 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: results.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: zizmor